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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


xX Yes 


No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


We would appreciate further guidance about information we are obliged to provide in a 
subject access request which may put other people at risk. 


For example, one of our customers requested confirmation of whether particular staff 
members had accessed their personal data. Under this guidance we understand we would 
be required to share this. However, in these circumstances there was a risk to the staff 
member as a result of sharing this information. The risk was likely and consisted of 
physical violence. 


The advice we were given at the time by the ICO was that we were best placed to make 
this decision. We agree with this but think it should be referenced in the guidance. 


Q2 Does the draft guidance contain the right level of detail? 


x Yes 


No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


We agree with the level of detail and consider this necessary. However, we prefer how 
you structure guidance on your website, for example the Guide to the General Data 
Protection Regulation. We think the Right of Access Guidance would work well in this 


format where there are headings with summary information and links to more detailed 
guidance where required. 


Q3 Does the draft guidance contain enough examples? 


Yes 


xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


We think there should be examples wherever there is room for ambiguity or where you 
are asking organisations to exercise judgment. This will assist us in our decision-making 
process. Sections we feel would benefit from examples include: 

e ‘When is a request complex?’, particularly around technical difficulties in retrieving 


the information, and 

“What does manifestly unfounded mean””, particularly around where a request 
contains unsubstantiated accusations against employees, and the individual is 
targeting an employee whom they have some personal grudge. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


We have never defined any requests as manifestly unfounded or excessive. 


Based on the bullet-point list examples of what is considered manifestly unfounded, we 
cannot think of any real-life examples where we would be able to apply these without 
asking the individual’s motivation for making their subject access request and assessing 
whether it is valid. This conflicts with other guidance from the ICO, which states that 
subject access requests are designed to be ‘purpose-blind’, and we cannot query the 
reason for an individual or their representative requesting the information. 


For example, our staff members sometimes have to make difficult decisions regarding the 


termination of a customer’s tenancy. This frequently triggers complaints about our 
decision-making process, and these complaints often contain subject access requests for 
all personal data held on the individual. It is clear that the individual is trying to find out 
what a certain member of staff has said about them or trying to find reasons to bring a 
claim, rather than reviewing what data we hold about them. 


Following this guidance, we think that the subject access request would be manifestly 
unfounded. However, we feel that this conflicts with the ‘purpose-blind’ principle, and in 
reality if challenged we would be required to provide the information requested. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
0O O 0O 


Q6 Why have you given this score? 


Overall, the guidance is clear and provides additional and relevant information. However, 
there are some areas, mentioned in this response, that would benefit from further clarity 


and examples. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O LJ x] L 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


We think on page 18 under the section ‘When is a request complex?’ there should be 
further information on what type of technical difficulties would be accepted as 
complex. For example, we struggle with extracting data in a format which the 
individual would be able to receive and read, particularly personal data contained in 
emails. This is a characteristic of our current system’s capabilities and technological 
abilities. This is likely to apply to every subject access request we receive until a 
completely new system is implemented, which is planned but will take a number of 
years. 


On page 40 under heading ‘Step 1 - Does the request require the disclosure of 
information that identifies another individual?” we think this section should include 


information about tools such as redaction. This allows organisations to comply with 
requests without revealing information about other individuals, which makes it 
relevant to this section. 


On page 4, para 1 under the heading ‘Are individuals only entitled to their own 
personal data?” there is the following sentence: They are not entitled to information 
relating to other people (unless their data also relates to other individuals). We do not 
understand the meaning of this sentence. There is a suggestion that an individual is 
entitled to information relating to other people where their data also relates to other 
individuals. This is not explained in the guidance and we are unclear about what 
‘relates to’ means in this context. 


Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


West Kent Housing Association 


What sector are you from: 


Third sector - social housing 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 


a0xküo0ü gð 


Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


El del El EE 


Thank you for taking the time to complete the survey. 


